EUVD-2026-30607

Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.0, he LDAP and OAuth authentication flows use a TOCTOU Time-of-Check-Time-of-Use pattern for first-user admin role assignment. The regular signup handler signuphandler in auths.py, line...

EUVD-2026-27135

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim...

GHSA-H27V-PH7W-M9FP Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Summary An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in...

Nginx-UI: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

An unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable without authentication, and the request-encryption flow only protects payload confidentiality in transit; i...

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

CVE-2026-42221

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

CVE-2026-42221 nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

Nginx UI is a web user interface for the Nginx web server. From version 2.0.0 to before version 2.3.8, an unauthenticated network attacker can claim the initial administrator account on a fresh nginx-ui instance during the first-run setup window. The public /api/install endpoint is reachable...

CVE-2026-42221

Summary: CVE-2026-42221 affects nginx-ui versions 2.0.0 through 2.3.7, where an unauthenticated attacker can claim the initial administrator account during first-run via the public /api/install endpoint. The installation flow and public keys are not authenticated, allowing an attacker to set admi...

PT-2026-36921

Name of the Vulnerable Software and Affected Versions Nginx UI versions 2.0.0 through 2.3.7 Description An unauthenticated network attacker can claim the initial administrator account on a fresh instance during the first-run setup window. The public endpoint "/api/install" is accessible without...

Signal K Server: Privilege Escalation by Admin Role Injection via /enableSecurity

Summary According to SignalK's security documentation, when a server is first initialized without security enabled, the /skServer/enableSecurity endpoint is intentionally exposed to allow the owner to set up the initial admin account. This initial open access is by design. However, the critical...

SHARP routers missing authentication for some web APIs

Overview SHARP routers do not perform authentication for some web APIs. Those web APIs provide device information, and the initial administrative password is based on a part of the device information. Missing authentication for critical function CWE-306 - CVE-2026-32326 Shota Zaizen reported this...

EUVD-2026-15194

SHARP routers do not perform authentication for some web APIs. The device information may be retrieved without authentication. If the administrative password of the device is left as the initial one, the device may be taken over...

Commvault Initial Administrator Login Process Vulnerability

An issue was discovered in Commvault before 11.36.60.During the brief window between installation and the first administrator login, remote attackers may exploit the default credential to gain admin control. This is limited to the setup phase, before any jobs have been configured. id:...

Lexmark 授权问题漏洞

Lexmark is a family of printers in the United States. An authorization issue vulnerability exists in Lexmark devices, which arises from the product's initial administrative account setup wizard allowing an unauthenticated user's access to the out-of-service erase function...